PMExtra / sentry-auth-ldap

A Sentry extension to add an LDAP server as an authention source.
Apache License 2.0
27 stars 7 forks source link

Sentry v24.x.x #18

Closed jav-12 closed 2 months ago

jav-12 commented 7 months ago

Is this compatible with the latest sentry (https://github.com/getsentry/sentry/releases/tag/24.4.1))?

I realized that the original plugin was deprecated a long time ago. Is this fork still available for newer versions?

thanks!

PMExtra commented 7 months ago

You can give it a try. If you encounter any problems, welcome feedback and I will try my best to help you.

At least it works well with 23.7.2 which I am using.

ZsBT commented 3 months ago

Sentry's install.sh failed for me:

 File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/usr/src/sentry/src/sentry/runner/default_settings.py", line 8, in <module>
    populate_module(sys.modules[__name__])
  File "/usr/src/sentry/src/sentry/runner/importer.py", line 17, in populate_module
    _load_settings(SENTRY_CONF_PY, settings=settings_mod)
  File "/usr/src/sentry/src/sentry/runner/importer.py", line 28, in _load_settings
    exec(source_file.read(), conf.__dict__)
  File "<string>", line 48, in <module>
NameError: name 'AUTHENTICATION_BACKENDS' is not defined
Error in install/set-up-and-migrate-database.sh:19.
'$dcr web shell -c "
from django.db import connection

with connection.cursor() as cursor:
  cursor.execute('ALTER TABLE IF EXISTS sentry_groupedmessage DROP CONSTRAINT IF EXISTS sentry_groupedmessage_project_id_id_515aaa7e_uniq;')
  cursor.execute('DROP INDEX IF EXISTS sentry_groupedmessage_project_id_id_515aaa7e_uniq;')
"' exited with status 1
-> ./install.sh:main:38
--> install/set-up-and-migrate-database.sh:source:19
PMExtra commented 3 months ago

I'll upgrade to the latest Sentry to test and fix it when I have some free time, but that might take a few weeks.

If you're in a hurry, consider using an older Sentry (such as the latest version of v23.x) or try to fix it yourself.

Alena86 commented 2 months ago

I got it to work half way. I am using the latest self-hosted version of sentry (which I believe is 24.1.0) and 23.6.0 version of sentry-auth-ldap.

In order to get it to work, I added the LDAP settings environment to sentry.conf.py file as well as this code in enhance-image.sh

requirements=(
'sentry-auth-ldap==23.6.0'
# You can add other packages here, just like requirements.txt
)

# Install the dependencies of ldap
apt-get update
apt-get install -y --no-install-recommends build-essential libldap2-dev libsasl2-dev

pip install ${requirements[@]}

# Clean up to shrink the image size
apt-get purge -y --auto-remove build-essential
rm -rf /var/lib/apt/lists/*

I can see it is connected to the AD as it is not finding the users and there is no other errors besides this message:

web-1  | 14:24:07 [INFO] sentry.access.api: api.access (method='POST' view='sentry.web.frontend.auth_organization_login.AuthOrganizationLoginView' response=200 user_id='None' is_app='None' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/auth/login/sentry/' caller_ip='###.###.###.###' user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.39148998260498047 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None')

Which I am guessing it is not getting the information from the user input? Would this be some quick fix? Or should I try to downgrade Sentry to v23.#?? Thank you.

PMExtra commented 2 months ago

@Alena86 Please provide your settings from sentry.conf.py

Alena86 commented 2 months ago

Here is my LDAP part of sentry.conf.py configuration. Not sure if it matters, but I also use external Postgres/Kafka/Redis since I already have those services up and running

############
#   LDAP   #
############
# Default domain to add to the user to get the e-mail address of the user.
AUTH_LDAP_DEFAULT_EMAIL_DOMAIN = '<company_internal_domain.com>'

import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfUniqueNamesType

# LDAP server info
AUTH_LDAP_SERVER_URI = 'ldap://<ldap_server>'
AUTH_LDAP_BIND_DN = '<full_BIND_DN_of_the_ldap_account>'
AUTH_LDAP_BIND_PASSWORD = '<bind_dn_password>'

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'DC=<company>,DC=<corporation>,DC=<DC>',
    ldap.SCOPE_SUBTREE,
    '(uid=%(user)s)',
)

AUTH_LDAP_GROUP_SEARCH = LDAPSearch(
    '',
    ldap.SCOPE_SUBTREE,
    '(objectClass=groupOfUniqueNames)'
)

AUTH_LDAP_GROUP_TYPE = GroupOfUniqueNamesType()
AUTH_LDAP_REQUIRE_GROUP = None
AUTH_LDAP_DENY_GROUP = None

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'uid',
    'email': 'mail'
}

AUTH_LDAP_FIND_GROUP_PERMS = False
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600

# Organization which to add the uesr to
AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'organization-slug'
# Role to assign to the user as they login the first time
AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'member'
AUTH_LDAP_SENTRY_GROUP_ROLE_MAPPING = {
    'owner': ['sysadmins'],
    'admin': ['devleads'],
    'member': ['developers', 'seniordevelopers']
}
# First time users permissions to the global access of the organization.
AUTH_LDAP_SENTRY_ORGANIZATION_GLOBAL_ACCESS = True
# Projects to be assigned to the user by default.
AUTH_LDAP_SENTRY_SUBSCRIBE_BY_DEFAULT = False
# Specify which attribute to use as a Sentry username
AUTH_LDAP_SENTRY_USERNAME_FIELD = 'uid'
# Upper one is suposed to be absolete and replaced by these 2:
AUTH_LDAP_USER_QUERY_FIELD = 'uid'

AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
    'sentry_auth_ldap.backend.SentryLdapBackend',
)

import logging
logger = logging.getLogger('django_auth_ldap')
logger.addHandler(logging.StreamHandler())
logger.addHandler(logging.FileHandler(r"/tmp/ldap2.log"))
logger.setLevel('DEBUG')

LOGGING['overridable']=['sentry','django_auth_ldap']
LOGGING['loggers']['fhango_auth_ldap']={
        'handlers':['console'],
        'level':'DEBUG'
        }
PMExtra commented 2 months ago

@Alena86

LOGGING['loggers']['fhango_auth_ldap']
                    ^^ It should be django?

Please configure the logging correctly first. Then maybe we can get some information from the log.

Alena86 commented 2 months ago

oooh boy.. stupid typo.... It took a bit to reinstall everything... Quick side question.. In order to test out changes to this file, do I have to rerun the install.sh everytime? Cause that takes about 20 minutes :(

We are def getting a bit more information:

web-1  | 16:37:10 [DEBUG] django_auth_ldap: Binding as <Full CN of the LDAP bind user that we use in other apps>
web-1  | 16:37:10 [DEBUG] django_auth_ldap: Binding as <Full CN of the LDAP bind user that we use in other apps>
web-1  | 16:37:10 [DEBUG] django_auth_ldap: Invoking search_s('DC=<company>,DC=<corporation>,DC=<DC>', 2, '(uid=user123)')
web-1  | 16:37:10 [DEBUG] django_auth_ldap: Invoking search_s('DC=<company>,DC=<corporation>,DC=<DC>', 2, '(uid=user123)')
web-1  | 16:37:10 [ERROR] django_auth_ldap: search_s('DC=<company>,DC=<corporation>,DC=<DC>', 2, '(uid=user123)') raised OPERATIONS_ERROR({'msgtype': 100, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090C77, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'})
web-1  | 16:37:10 [ERROR] django_auth_ldap: search_s('DC=<company>,DC=<corporation>,DC=<DC>', 2, '(uid=user123)') raised OPERATIONS_ERROR({'msgtype': 100, 'msgid': 2, 'result': 1, 'desc': 'Operations error', 'ctrls': [], 'info': '000004DC: LdapErr: DSID-0C090C77, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563'})
web-1  | 16:37:11 [DEBUG] django_auth_ldap: search_s('DC=<company>,DC=<corporation>,DC=<DC>', 2, '(uid=%(user)s)') returned 0 objects:
web-1  | 16:37:11 [DEBUG] django_auth_ldap: search_s('DC=<company>,DC=<corporation>,DC=<DC>', 2, '(uid=%(user)s)') returned 0 objects:
web-1  | 16:37:11 [DEBUG] django_auth_ldap: Authentication failed for user123: failed to map the username to a DN.
web-1  | 16:37:11 [DEBUG] django_auth_ldap: Authentication failed for user123: failed to map the username to a DN.

Looks like the ldap bind user didn't authenticate, even though we use the same CN in other apps and it worked.

PMExtra commented 2 months ago

So are you sure your username field is uid? For Microsoft AD it should be sAMAccountName.

PMExtra commented 2 months ago

In order to test out changes to this file, do I have to rerun the install.sh everytime? Cause that takes about 20 minutes :(

No, just restarting sentry-web container is enough.

Alena86 commented 2 months ago

So are you sure your username field is uid? For Microsoft AD it should be sAMAccountName.

You are right.. it is sAMAccountName... Updated the config, it was still unable the find the user... I narrowed down a bit the search of the user by adding OU of user testing the login with:

AUTH_LDAP_USER_SEARCH = LDAPSearch(
    'OU=<OU_of_user>,DC=<company>,DC=<corporation>,DC=<DC>',
    ldap.SCOPE_SUBTREE,
    '(sAMAccountName=%(user)s)',
)

And restarted web container and got the error of connection refused, but I am able to run simple ldapsearch on the machine with that basedn and that filter. Here is the error:

`urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='<sentry_host>', port=80): Max retries exceeded with url: /api/1/envelope/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7f93202d2bd0>: Failed to establish a new connection: [Errno 111] Connection refused'))17:08:13 [ERROR] sentry_sdk.errors: Internal error in sentry_sdk`

17:08:13 [ERROR] sentry_sdk.errors: Internal error in sentry_sdk

I reran the install.sh just in case to test out, and now I'm getting:

web-1  | 17:33:03 [WARNING] django_auth_ldap: 'sAMAccountName' while authenticating <username>
web-1  | 17:33:03 [WARNING] django_auth_ldap: 'sAMAccountName' while authenticating <username>
web-1  | Traceback (most recent call last):
web-1  |   File "/.venv/lib/python3.12/site-packages/django/core/handlers/exception.py", line 55, in inner
web-1  |     response = get_response(request)
web-1  |                ^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/core/handlers/base.py", line 197, in _get_response
web-1  |     response = wrapped_callback(request, *callback_args, **callback_kwargs)
web-1  |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/sentry_sdk/integrations/django/views.py", line 89, in sentry_wrapped_callback
web-1  |     return callback(request, *args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/views/generic/base.py", line 104, in view
web-1  |     return self.dispatch(request, *args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/usr/src/sentry/src/sentry/silo/base.py", line 148, in override
web-1  |     return original_method(*args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/utils/decorators.py", line 48, in _wrapper
web-1  |     return bound_method(*args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
web-1  |     return view_func(request, *args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/usr/src/sentry/src/sentry/web/frontend/base.py", line 398, in dispatch
web-1  |     return self.handle(request, *args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/utils/decorators.py", line 48, in _wrapper
web-1  |     return bound_method(*args, **kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/views/decorators/cache.py", line 80, in _view_wrapper
web-1  |     response = view_func(request, *args, **kwargs)
web-1  |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/usr/src/sentry/src/sentry/web/frontend/auth_organization_login.py", line 90, in handle
web-1  |     response = self.handle_basic_auth(request, organization=organization)
web-1  |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/usr/src/sentry/src/sentry/web/frontend/auth_login.py", line 662, in handle_basic_auth
web-1  |     elif login_form.is_valid():
web-1  |          ^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/forms/forms.py", line 197, in is_valid
web-1  |     return self.is_bound and not self.errors
web-1  |                                  ^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/forms/forms.py", line 192, in errors
web-1  |     self.full_clean()
web-1  |   File "/.venv/lib/python3.12/site-packages/django/forms/forms.py", line 328, in full_clean
web-1  |     self._clean_form()
web-1  |   File "/.venv/lib/python3.12/site-packages/django/forms/forms.py", line 349, in _clean_form
web-1  |     cleaned_data = self.clean()
web-1  |                    ^^^^^^^^^^^^
web-1  |   File "/usr/src/sentry/src/sentry/web/forms/accounts.py", line 134, in clean
web-1  |     self.user_cache = authenticate(username=username, password=password)
web-1  |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/views/decorators/debug.py", line 75, in sensitive_variables_wrapper
web-1  |     return func(*func_args, **func_kwargs)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django/contrib/auth/__init__.py", line 79, in authenticate
web-1  |     user = backend.authenticate(request, **credentials)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django_auth_ldap/backend.py", line 142, in authenticate
web-1  |     user = self.authenticate_ldap_user(ldap_user, password)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django_auth_ldap/backend.py", line 200, in authenticate_ldap_user
web-1  |     return ldap_user.authenticate(password)
web-1  |            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django_auth_ldap/backend.py", line 344, in authenticate
web-1  |     self._get_or_create_user()
web-1  |   File "/.venv/lib/python3.12/site-packages/django_auth_ldap/backend.py", line 597, in _get_or_create_user
web-1  |     self._user, built = self.backend.get_or_build_user(username, self)
web-1  |                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/sentry_auth_ldap/backend.py", line 37, in get_or_build_user
web-1  |     (user, built) = super().get_or_build_user(username, ldap_user)
web-1  |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web-1  |   File "/.venv/lib/python3.12/site-packages/django_auth_ldap/backend.py", line 217, in get_or_build_user
web-1  |     query_value = ldap_user.attrs[self.settings.USER_ATTR_MAP[query_field]][0]
web-1  |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
web-1  | KeyError: 'sAMAccountName'
web-1  | 17:33:05 [ERROR] django.request: Internal Server Error: /auth/login/sentry/ (status_code=500 request=<WSGIRequest: POST '/auth/login/sentry/'>)
web-1  | 17:33:05 [INFO] sentry.access.api: api.access (method='POST' view='sentry.web.frontend.auth_organization_login.AuthOrganizationLoginView' response=500 user_id='None' is_app='None' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/auth/login/sentry/' caller_ip='10.1.49.1' user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36' rate_limited='False' rate_limit_category='None' request_duration_seconds=1.9423701763153076 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None')

I am guessing this is due:

AUTH_LDAP_USER_ATTR_MAP = {
    'name': 'sAMAccountName',
    'email': 'mail'
}

Which attribute is the attribute in Sentry and which one is in AD? Or is it this line: AUTH_LDAP_USER_QUERY_FIELD = 'sAMAccountName'

PMExtra commented 2 months ago
  1. attribute key should be username instead of name, usually name should be mapped from displayName.
AUTH_LDAP_USER_ATTR_MAP = {
    'username': 'sAMAccountName',
    'name': 'displayName',
    'email': 'mail'
}
  1. AUTH_LDAP_USER_QUERY_FIELD need not be set. You can set it to username instead of sAMAccountName if you really want to specify it.
Alena86 commented 2 months ago

@PMExtra You are THE MAN!!! Moving forward :) We don't have any errors in the logs and the users are able to login.

The users are getting the error: No Organization Access Even though we have set them to be a member by default. I'm guessing this might be because the organization is not set to be sentry:

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION = u'organization-slug'

I'll try setting this to be sentry and see how it goes which is a default organization.

Also whatever I change in the UI General Settings it says how it cannot save the changes in the bottom right corner...

CannotSaveChanges

Also when I click on members it doesn't show me the user logged in just myself (admin account)

onemember

Which I'm not sure if it's this module or the actual self-hosted repo? :/

Alena86 commented 2 months ago

I tried chaning the AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION to be 'sentry' as well as some other organization that doesn't exist and neither one worked. After some testing, we figured that it does create the user in Postgres DB "auth_user". It also connects that user with dbs: sentry_useroptions, sentry_userip and sentry_useremail. But it doesn't seam like it is adding the user to any sentry_organization* databases by default, even though by config I have: AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION to be "sentry" which is a default one.

PMExtra commented 2 months ago

AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION is a setting from the obsoleted upstream project, it should be set to the organization display name, which is unsuitable as an identifier.

So, I made a new setting named AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION, which is a more consistent naming, and used organization-slug as the identifier.

Maybe you are confused about them.

PMExtra commented 2 months ago

Another thing, I just noticed that you set the AUTH_LDAP_SENTRY_USERNAME_FIELD, which is obsoleted too.

It's replaced by AUTH_LDAP_USER_QUERY_FIELD and AUTH_LDAP_USER_ATTR_MAP.

PMExtra commented 2 months ago

@jav-12 @ZsBT I've verified this plugin can work fine with Sentry 24.7.1. So I think the problems you were encountering are not caused by compatibility. I'm going to close this issue now, feel free to open a new issue if you have other questions.

Alena86 commented 2 months ago

Based on your previous answers, I have set: AUTH_LDAP_USER_QUERY_FIELD = "sAMAccountName" - which is the field we use for the username AUTH_LDAP_USER_ATTR_MAP = { 'username': 'sAMAccountName', 'name': 'displayName', 'email': 'mail' } AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION = 'organization-slug' - left is as a field which to read for organization name.

Commented out AUTH_LDAP_SENTRY_USERNAME_FIELD and AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION

and now I am getting error:

File "/.venv/lib/python3.12/site-packages/django_auth_ldap/backend.py", line 217, in get_or_build_user
web-1  |     query_value = ldap_user.attrs[self.settings.USER_ATTR_MAP[query_field]][0]
web-1  |                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
web-1  | KeyError: 'sAMAccountName'
web-1  | 23:14:47 [ERROR] django.request: Internal Server Error: /auth/login/sentry/ (status_code=500 request=<WSGIRequest: POST '/auth/login/sentry/'>)

:( I even downgraded the sentry from latest to be 24.8.0 as the one that you have tested out. I even cleaned up all the databases and reinstalled everything from scratch and the same error when the user tried to connect with their AD credentials. Let me know if you want me to open a new issue for this, I'll gladly do that.

PMExtra commented 2 months ago

I have said that AUTH_LDAP_USER_QUERY_FIELD should be username rather than sAMAccountName, which is the default.

You set too many options that you don't understand, please follow the docs and keep it simple.

Alena86 commented 2 months ago

All the changes you see are cause I was trying to debug why it is not working... So to be clear, I copied your example from the README and just added our setup for: AUTH_LDAP_SERVER_URI AUTH_LDAP_BIND_DN AUTH_LDAP_BIND_PASSWORD AUTH_LDAP_USER_SEARCH AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION is like you have u'organization-slug' AUTH_LDAP_SENTRY_ORGANIZATION_ROLE_TYPE = 'admin' updated the ATTR_MAP fields to be sAMAccountName and displayName from AD which you said in one of the previous posts.

everything else is like you have in example and people can login but are not being added to the default organization (which is what I posted in one of the previous posts :( where you said AUTH_LDAP_DEFAULT_SENTRY_ORGANIZATION is obsolete so I removed it. )

Is there anything else that I'm missing to add users automaticly to the default organization? :/

PMExtra commented 2 months ago

Are you sure the organization-slug is correct?

Try to access http://your_sentry_host/organizations/{organization-slug}/ to check.

Alena86 commented 2 months ago

So I was playing with these settings a bit today.. The organization is by default named Sentry, and the Organization Slug is set to be sentry in the UI Admin page.

image

I haven't changed those, and it is set to be single organization, by setting: SENTRY_SINGLE_ORGANIZATION = True I left AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION = u'organization-slug'

When the other users login it is getting them in but still saying No Organization Access. When I try to reach http://our_sentry_host/organizations/{organization-slug}/ as a superuser it opens issues page with no issue. Same as when I do http://our_sentry_host/organizations/sentry/.

Afterwards I tried SENTRY_SINGLE_ORGANIZATION = False to see how will it behave. This setting would allow users to login, but it will automatically ask them to create a new organization and not add them to the existing ones.

When I set

SENTRY_SINGLE_ORGANIZATION = True
AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION = 'sentry'

Then it lets people login right away and adds them straight to default "sentry" organization.

PMExtra commented 2 months ago

So, you thought organization-slug was a constant?

No, it’s just a placeholder, I think you've figured that out by now.

So that’s all settled, right?

Alena86 commented 2 months ago

Yes, I thought you were saying AUTH_LDAP_SENTRY_DEFAULT_ORGANIZATION should stay 'organization-slug' as you are using hat as a replacement for any organization name :) my bad. Just a note It might be useful to put either or put 'your-organization-slug' so people know to put whatever organization they have on their setup as what you have is the same as the field name, which got me confused.

Yes I'm all sorted out! Thank you so much! Wish all the support people are as responsive and helpful as you! Super grateful!